Both federal policies – FERPA and COPPA – presume that schools have the resources and knowledge to assess their own data security practices, to say nothing of their vendors. Emerging evidence says otherwise.